Q1 


Q2 


Q3 


ICO consultation on the draft updated data 
sharing code of practice 


Does the updated code adequately explain and advise on the new aspects of 
data protection legislation which are relevant to data sharing? 


O Yes 
© No 


If not, please specify where improvements could be made. 


Vodafone welcomes the opportunity to provide feedback on this data sharing code of 
conduct and is pleased to see the ICO updating their code in order to provide clarity when 
data sharing in line with the new requirements under the GDPR. We would welcome even 
more clarity on what may be the appropriate lawful basis when sharing data with a specific 
reference to legitimate business interests. Would all parties to the data sharing need to 
rely on legitimate business interests or could one parties legitimate business interests 
permit data to be shared within a group, to the point that all parties to the data sharing 
could rely on that one company’s interest? For example, could a bank’s legitimate 
interests to prevent and detect fraud be relied upon when another company is asked for 
information they may be holding about their customer in order to verify that individual is 
who they say they are. 


Does the draft code cover the right issues about data sharing? 


O Yes 
© No 


Q4 


Q5 


Q6 


Q7 


If no, what other issues would you like to be covered in it? 


Vodafone would welcome having more of an overview of when data could be shared with 
other third parties, who are not law enforcement agencies). For example, sharing 
intelligence amongst banks of known fraudsters for the purposes of prevention and 
detection of fraud. The ICO mentions on page 64 that this may be permissible under sch 
1(10) of the DPA and sch2 (for the prevention and detection of crime) but only in reference 
to sharing data with law enforcement agencies. It would be helpful to refer to whether this 


extends to other companies who are trying to build a case for the law enforcement agency 
to investigate. 


Does the draft code contain the right level of detail? 
O Yes 
© No 


If no, in what areas should there be more detail within the draft code? 


Vodafone would welcome clarity on the reference to data pooling on page 18 of the guidance. Does the 
ICO believe that data pooling would mean that all parties to that pool will always be considered joint 
controllers (as stated) or could they ever be a scenario considered separate controllers? There may be 
instances where parties to a data pool could be considered separate controllers and by referencing joint 
controllership only in the scenario indicates that the Art 26 obligations apply in every instance of a data 
pool when that might not be the case in reality. 


Has the draft code sufficiently addressed new areas or developments in data 


protection that are having an impact on your organisation's data sharing 
practices? 


O Yes 
© No 


Q8 __siIf no, please specify what areas are not being addressed, or not being 


addressed in enough detail. 


We welcome the updates to the guidance to take into consideration the new requirements under the 
GDPR and the explicit carve out for anonymous data not being in scope of the code. However, we 
would also appreciate a reference to pseudonymisation and whether this would be a useful tool in 
securing data when data sharing and whether the receiving party of pseudonymous data sets would still 


need to treat that data as personal, if they do not hold the key and will never have the ability to identify 
the individuals in that data set. 


Q9 Does the draft code provide enough clarity on good practice in data sharing? 


© Yes 
© No 


Q10 If no, please indicate the section(s) of the draft code which could be improved, 


and what can be done to make the section(s) clearer. 


This guidance does provide a lot of clarity and Vodafone very much appreciates the ‘At a glance’ 
summaries to digest the information more easily. What would make the guidance even clearer is if 
there was an assessment tool (similar to the Data Protection self-assessment) for organisations to use 
when thinking about data sharing. This would make the guidance more tailored and interactive when 
looking for specific advice on data sharing. 


Qiii Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


© Yes 
O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to 
your organisation? 


© Yes 
© No 


Q14 Please provide any further comments or suggestions you may have about the 
draft code. 


Vodafone welcomes the example concerning mobile phone operators and data sharing with 
credit agencies. We believe the example is a good illustration of how that data sharing 
works in practice and is strongly aligned with that interpretation. We would also appreciate 
more examples on sharing data with other organisations (who are not law enforcement 
bodies) for the purposes of fraud and prevention of crime. 


Q15 To what extent do you agree that the draft code is clear and easy to 
understand? 


© Strongly agree 

© Agree 

©) Neither agree nor disagree 
© Disagree 

© Strongly disagree 


Q16 Are you answering as: 


O An individual acting in a private capacity (e.g. someone providing their 
views as a member of the public of the public) 

© An individual acting in a professional capacity 

© On behalf of an organisation 

O Other 


Q17 Please specify 


Q18 Please specify 
Vodafone Group Services Limited 


Q19 Please specify 


Thank you for taking the time to share your views and experience. 


